Am I a ‘data controller’ or a ‘data processor’, and why is it important anyway?

Introduction

The extent to which an organization is subject to obligations under EU data protection law depends on whether or not they are a ‘data controller’. Generally speaking, a party that handles personal data on behalf of the data controller is known as a ‘data processor’ and is subject to far fewer obligations under the law. However, it’s often far from clear who’s the controller and who’s the processor, so here are some guidelines to help you reach a conclusion.

Am I the ‘controller’ or the ‘processor’?

Control, rather than possession, of personal data is the determining factor here. The data controller is the person (or business) who determines the purposes for which, and the way in which, personal data is processed. By contrast, a data processor is anyone who processes personal data on behalf of the data controller (excluding the data controller’s own employees). This could include anything as seemingly trivial as, for example, storage of the data on a third party’s servers, or appointing a data analytics provider.

Can I be both?

That sounds straightforward enough, but often the arrangements are not that simple. It is perfectly possible for two separate organizations to be data processors of the same data. Taking the example above, one organization runs the analytics whereas another organization stores the data – both are data processors of the data.

Similarly, the same organization can be both a data controller and data processor. Taking the example one step further, if our analytics provider runs a customer’s data through its systems, the provider will be the processor of that data. However, the analytics provider may hold any number of other data sets, perhaps which it uses in its analytics tools. If the analytics provider is entitled to determine the way in which that other data is used, it will be the controller of that data.

OK, what does this all mean for me?

As data controller, you’ll be subject to a number of requirements under EU law, for example you must:

notify the relevant national authority before carrying out any data processing.

comply with European data protection principles, e.g. processing data fairly and lawfully, and using data for specific, legitimate purposes.

provide certain information to individuals about whom you hold personal data, e.g. your identity, details of the data you hold and what you plan to do with it.

enter into written agreements with your processors that require them to (a) act only on your instructions and (b) comply with the same security obligations as are imposed on you under the applicable national legislation.

I’ve heard the rules are changing – will that make a difference?

The General Data Protection Regulation, which came into force on 25 May 2018, imposes new obligations on data processors. In particular, processors will:

have to maintain a record of all processing operations under their responsibility.

be deemed to be a joint controller in respect of any data processing that it carries out beyond the scope of the controller’s instructions.

This will represent a significant change for data processors, who (under the current regime) can avoid direct liability under the law. Given the heavy fines that can be imposed for breaches of the new GDPR, processors will need to familiarize themselves with the new rules. Detailed analysis may be required to determine, for example, whether you need a Data Protection Officer or if your activities are outside the scope of a controller’s instructions. But now that you know whether you’re a data processor or controller, you’re off to a good start on your European data protection journey!

Under the GDPR, the amount of potential fines are substantially increased (up to maximum EUR 20 million). The Dutch Data Protection Authority, the Autoriteit Persoonsgegevens (AP), has recently published its…

Sign up for our newsletter

Legal notice

When you read about Osborne Clarke on this site, we are either referring to our international organisation, Osborne Clarke Verein (OCV), or one of its member firms. OCV is a Swiss verein and doesn’t provide services to clients. The OCV member firms are all separate legal entities and have no authority to obligate or bind each other or OCV with regard to third parties. To find out more, please click here.

Connect with our experts

We have placed cookies on your device to give you the best experience. Find out more here, including how to change your cookie settings. If you continue to browse on this site, we’ll assume you’re OK to proceed.
OK